Add the PP2_SUBTYPE_SSL_CERT code point reservation in the proxy
protocol specification. This is useful in cases where the backend
needs to perform mTLS authentication, but the rules for certificate
validation are backend-specific (e.g. database of allowed
certificate hashes).
This is left optional to leave it up to the frontend configuration
to dictate whether to forward raw certificate data.
---
doc/proxy-protocol.txt | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
index fe96d3b13b01..bb08adafcbb4 100644
--- a/doc/proxy-protocol.txt
+++ b/doc/proxy-protocol.txt
@@ -30,6 +30,7 @@ Revision history
2020/03/05 - added the unique ID TLV type (Tim Düsterhus)
2025/09/09 - added SSL-related TLVs for key exchange group and signature
scheme (Steven Collison)
+ 2026/01/15 - added SSL client certificate TLV (Simon Ser)
1. Background
@@ -549,6 +550,7 @@ The following types have already been registered for the
<type> field :
#define PP2_SUBTYPE_SSL_KEY_ALG 0x25
#define PP2_SUBTYPE_SSL_GROUP 0x26
#define PP2_SUBTYPE_SSL_SIG_SCHEME 0x27
+ #define PP2_SUBTYPE_SSL_CERT 0x28
#define PP2_TYPE_NETNS 0x30
@@ -672,6 +674,10 @@ The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME provides
the US-ASCII string
name of the algorithm the frontend used to sign the ServerKeyExchange or
CertificateVerify message, for example "rsa_pss_rsae_sha256".
+The optional second level TLV PP2_SUBTYPE_SSL_CERT provides the raw X.509
+client certificate encoded in ASN.1 DER. The frontend may choose to omit this
+TLV depending on configuration.
+
In all cases, the string representation (in UTF8) of the Common Name field
(OID: 2.5.4.3) of the client certificate's Distinguished Name, is appended
using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com".
--
2.52.0
